Skip to main content

SSL/TLS OpenVPN with HMAC Authenication

These instructions work on CentOS 6.x, Debian 6.x, Knoppix 6.x and probably other Linux distributions. (Easy-RSA and files kept in the directory /usr/share/doc aren't always available.) How the OpenVPN service runs on the server depends on how the service is configured to accept connections from clients. Additionally, clients have to be configured to communicate with that specific service. 

Server Instructions
1. Generate a RSA private key of 1024 bits encrypted using triple DES:
openssl genrsa -des3 -out ca.key 1024;

2. Generate a new certificate signing request using your RSA private key:
openssl req -new -key ca.key -out ca.csr;

3. Generate a self-signed root certificate that expires in 365 days:
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt;
cp ca.crt /etc/openvpn/keys;
scp ca.crt root@<client hostname>:/etc/openvpn/keys;

4. Generate a certificate file and a key file for the server, sign it with the root certificate key:
openssl req -new -keyout server.key -out server.csr;
openssl x509 -req -days 90 -in server.csr -signkey ca.key -out server.crt;
mv server.key server.crt /etc/openvpn/keys;

5. Generate a certificate file and a key file for each client, sign it with the root certificate key:
openssl req -new -keyout client.key -out client.csr;
openssl x509 -req -days 30 -in client.csr -signkey ca.key -out client.crt;
scp client.crt client.key root@<client hostname>:/etc/openvpn/keys; 

6. Generate a static key to work with SSL/TLS certificates for HMAC authenication:
openvpn --genkey --secret hmac.key
cp hmac.key /etc/openvpn/keys;
scp hmac.key root@<client hostname>:/etc/openvpn/keys;

7. Create the configuration file "server.conf" of the OpenVPN service in the directory "/etc/openvpn":
touch /etc/openvpn/server.conf;
echo "local <private address>
port 1194
proto udp
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
secret /etc/openvpn/keys/hmac.key
server <network id of private network> <subnet mask>
keepalive 10 120
tls-auth hmac.key 0
comp-lzo
max-clients 5
user <user owner of tunnel>
group <group owner of tunnel>
status /var/log/openvpn/openvpn-status.log
verb 4
mute 10" > /etc/openvpn/server.conf;

8. Create the configuration file "tun0.conf" for the tun device of the OpenVPN service in the directory "/etc/openvpn":
touch /etc/openvpn/tun0.conf;
echo "dev tun0
ifconfig <server ip address> <client ip address>
secret /etc/openvpn/keys/hmac.key" > /etc/openvpn/tun0.conf; 

9. Enable kernel IP forwarding in the server:
echo '1' > /proc/sys/net/ipv4/ip_forward;
sysctl net.ipv4.ip_forward=1;

10. Automatically start your OpenVPN service on boot up:
update-rc.d openvpn <options>;

11. Edit the file "/etc/hosts.allow" that's the hosts access control list for allowing access to services on your server from specific hostnames, IP addresses, networks, and FQDNs:
<service or wildcard>: <hostname> <ip address>/<subnet mask> <fqdn>

12. Edit the file "/etc/hosts.deny" that's the hosts access control list for denying access to services on your server from specific hostnames, IP addresses, networks, and FQDNs:
<service or wildcard>: <hostname> <ip address>/<subnet mask> <fqdn>

13. Start the OpenVPN service:
service openvpn start;

14. Forward client connections to your OpenVPN service through your routed IP tunnel device "tun0":
iptables -A INPUT -i <interface> -p udp --dport 1194 -j FORWARD;
iptables -A FORWARD -i <interface> -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT;
iptables -A FORWARD -o <interface> -s <private network>/<prefix length> -j ACCEPT;
iptables -t nat -A POSTROUTING -o <interface> -s <private network>/<prefix length> -j MASQUERADE;  

Client Instructions
1. Create the configuration file "client.conf" of the OpenVPN service in the directory "/etc/openvpn":
touch /etc/openvpn/client.conf;
echo "client
dev tun0
proto udp
ns-cert-type server
remote <server address> 1194
resolve-retry infinite
nobind
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client.crt
key /etc/openvpn/keys/client.key
secret /etc/openvpn/keys/hmac.key
comp-lzo
verb 4" > /etc/openvpn/client.conf;

2. Create the configuration file "tun0.conf" for the tun device of the OpenVPN service in the directory "/etc/openvpn":
touch /etc/openvpn/tun0.conf;
echo "dev tun0
ifconfig <client ip address> <server ip address>
secret /etc/openvpn/keys/hmac.key" > /etc/openvpn/tun0.conf;

3. Check the client's configuration file for errors:
openvpn --config client.conf;

4. Add new routes to the OpenVPN service on the client:
ip route add <server ip address> via <gateway ip address> dev <outgoing interface> proto static;
ip route change default via <client tun0 ip address> dev tun0 proto static;

5. Allow outgoing client connections to the OpenVPN through your firewall:
iptables -A INPUT -i <interface> -p tcp --sport 1194 -j ACCEPT
iptables -A OUTPUT -o <interface> -p tcp --dport 1194 -j ACCEPT 

Do you have a suggestion about how to improve this blog? Let's talk about it. Contact me at David.Brenner.Jr@Gmail.com or 720-584-5229.

Comments

Post a Comment

Comments to this blog will be reviewed within 72 hours. No trolling please

Popular posts from this blog

OpenStack+Ceph as Software-Defined Storage

SDS reduces the costs of the management of growing data stores by decoupling storage management from its hardware to allow for centralized management of cheaper, popular commodity hardware. The example SDS ecosystem uses open source software like OpenStack as a front-end interface on top of Ceph as the resource provider of a RADOS cluster of commodity solid-state drives. OpenStack provides user-friendly wrappers for accessing and modifying underlying Ceph storage. OpenStack comes in the form of distributed microservices with RESTful API's: Block (Cinder), File (Manila), Image (Glance), and Object (Swift). Each microservice can scale-out as a cluster of stand-alone services to accommodate the varying demands of high-growth storage. With OpenStack the underlying Ceph storage can address the block storage needs, file storage needs, image storage needs, and object storage needs of datacenters adopting open source as their new norm in an industry trend for high performace and high a
1 comment
Read more

Network traffic monitoring in Linux with Python

You can investigate suspicious activity in your network traffic by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data: Application specific logs from /var/log Raw dumps from sniffing at Layers 2-3 Raw dumps from /proc of kernel data structures Raw dumps of kernel routing tables General system-wide error messages from /var/log/syslog Do you
Post a Comment
Read more

Continuous Integration (CI) Best Practices

Continuous Integration (CI) automates the building and testing of software in a test environment whenever a change is committed to a revision control system. CI performs QA testing of a change before adding it to the current working version. CI makes sure all development can be integrated into a build. CI Best Practices 1. Maintain a test environment that's a clone of the production environment. 2. Maintain a revision control system such as CVS, SVN or Git. 3. Automate the building of software and the documenting of code in the test environment. 4. Automate QA testing of a change then report that change to developers. 5. Commit changes regularly to avoid integration conflicts. 6. Monitor the revision control system for a commit then build the software before replacing the current working version. Do you have a suggestion about how to improve this blog? Let's talk about it. Contact me at David.Brenner.Jr@Gmail.com or 720-584-5229.
Post a Comment
Read more